Documentation ¶
Overview ¶
The package twofactor implements the RFC 6238 TOTP: Time-Based One-Time Password Algorithm
The library provides a simple and secure way to generate and verify the OTP tokens and provides the possibility to display QR codes out of the box
The library supports HMAC-SHA1, HMAC-SHA256, HMAC-SHA512
Index ¶
Constants ¶
This section is empty.
Variables ¶
var (
LockDownError = errors.New("The verification is locked down, because of too many trials.")
)
Functions ¶
This section is empty.
Types ¶
type Totp ¶
type Totp struct {
// contains filtered or unexported fields
}
WARNING: The `Totp` struct should never be instantiated manually! Use the `NewTOTP` function
func NewTOTP ¶
This function creates a new TOTP object This is the function which is needed to start the whole process account: usually the user email issuer: the name of the company/service hash: is the crypto function used: crypto.SHA1, crypto.SHA256, crypto.SHA512 digits: is the token amount of digits (6 or 7 or 8) steps: the amount of second the token is valid it autmatically generates a secret key using the golang crypto rand package. If there is not enough entropy the function returns an error The key is not encrypted in this package. It's a secret key. Therefore if you transfer the key bytes in the network, please take care of protecting the key or in fact all the bytes.
func TOTPFromBytes ¶
TOTPFromBytes converts a byte array to a totp object it stores the state of the TOTP object, like the key, the current counter, the client offset, the total amount of verification failures and the last time a verification happened
func (*Totp) QR ¶
QR generates a byte array containing QR code encoded PNG image, with level Q error correction, needed for the client apps to generate tokens The QR code should be displayed only the first time the user enabled the Two-Factor authentication. The QR code contains the shared KEY between the server application and the client application, therefore the QR code should be delivered via secure connection.
func (*Totp) ToBytes ¶
ToBytes serialises a TOTP object in a byte array Sizes: 4 4 N 8 4 4 N 4 N 4 4 4 8 4 Format: |total_bytes|key_size|key|counter|digits|issuer_size|issuer|account_size|account|steps|offset|total_failures|verification_time|hashFunction_type| hashFunction_type: 0 = SHA1; 1 = SHA256; 2 = SHA512 The data is encrypted using the cryptoengine library (which is a wrapper around the golang NaCl library) TODO: 1- improve sizes. For instance the hashFunction_type could be a short.
func (*Totp) Validate ¶
This function validates the user privided token It calculates 3 different tokens. The current one, one before now and one after now. The difference is driven by the TOTP step size Based on which of the 3 steps it succeeds to validates, the client offset is updated. It also updates the total amount of verification failures and the last time a verification happened in UTC time Returns an error in case of verification failure, with the reason There is a very basic method which protects from timing attacks, although if the step time used is low it should not be necessary An attacker can still learn the synchronization offset. This is however irrelevant because the attacker has then 30 seconds to guess the code and after 3 failures the function returns an error for the following 5 minutes